CVE-2022-26500 - OpenCVE

Improper limitation of path names in Veeam Backup & Replication 9.5U3, 9.5U4,10.x, and 11.x allows remote authenticated users access to internal API functions that allows attackers to upload and execute arbitrary code.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is in the KEV database since Dec. 13, 2022.

Exploitation active

Automatable no

Technical Impact total

Vendors	Products
Veeam	Veeam Backup \& Replication

Configuration 1 [-]

OR	cpe:2.3:a:veeam:veeam_backup_\&_replication::::::::
	cpe:2.3:a:veeam:veeam_backup_\&_replication::::::::
	cpe:2.3:a:veeam:veeam_backup_\&_replication:9.5.0.1536:::::::*
	cpe:2.3:a:veeam:veeam_backup_\&_replication:9.5.4.2615:::::::*
	cpe:2.3:a:veeam:veeam_backup_\&_replication:10.0.1.4854:-::::::
	cpe:2.3:a:veeam:veeam_backup_\&_replication:10.0.1.4854:p20201202::::::
	cpe:2.3:a:veeam:veeam_backup_\&_replication:10.0.1.4854:p20210609::::::
	cpe:2.3:a:veeam:veeam_backup_\&_replication:11.0.1.1261:-::::::
	cpe:2.3:a:veeam:veeam_backup_\&_replication:11.0.1.1261:p20211123::::::
	cpe:2.3:a:veeam:veeam_backup_\&_replication:11.0.1.1261:p20211211::::::

No data.

References

Link	Providers
https://veeam.com
https://www.veeam.com/kb4288

History

Mon, 03 Feb 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		kev `{'dateAdded': '2022-12-13'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-03-17T20:56:44.000Z

Updated: 2025-07-30T01:37:45.958Z

Reserved: 2022-03-06T00:00:00.000Z

Link: CVE-2022-26500

Vulnrichment

Updated: 2024-08-03T05:03:33.156Z

NVD

Status : Analyzed

Published: 2022-03-17T21:15:08.193

Modified: 2025-04-03T18:54:21.040

Link: CVE-2022-26500

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Improper limitation of path names in Veeam Backup & Replication 9.5U3, 9.5U4,10.x, and 11.x allows remote authenticated users access to internal API functions that allows attackers to upload and execute arbitrary code."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-03-17T20:56:44.000Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://veeam.com"}, {"tags": ["x_refsource_MISC"], "url": "https://www.veeam.com/kb4288"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2022-26500", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Improper limitation of path names in Veeam Backup & Replication 9.5U3, 9.5U4,10.x, and 11.x allows remote authenticated users access to internal API functions that allows attackers to upload and execute arbitrary code."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://veeam.com", "refsource": "MISC", "url": "https://veeam.com"}, {"name": "https://www.veeam.com/kb4288", "refsource": "MISC", "url": "https://www.veeam.com/kb4288"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T05:03:33.156Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://veeam.com"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.veeam.com/kb4288"}]}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2022-26500", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-03T14:08:12.923583Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2022-12-13", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26500"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "timeline": [{"time": "2022-12-13T00:00:00+00:00", "lang": "en", "value": "CVE-2022-26500 added to CISA KEV"}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-30T01:37:45.958Z"}}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-26500", "datePublished": "2022-03-17T20:56:44.000Z", "dateReserved": "2022-03-06T00:00:00.000Z", "dateUpdated": "2025-07-30T01:37:45.958Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Improper limitation of path names in Veeam Backup & Replication 9.5U3, 9.5U4,10.x, and 11.x allows remote authenticated users access to internal API functions that allows attackers to upload and execute arbitrary code."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-03-17T20:56:44.000Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://veeam.com"}, {"tags": ["x_refsource_MISC"], "url": "https://www.veeam.com/kb4288"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2022-26500", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Improper limitation of path names in Veeam Backup & Replication 9.5U3, 9.5U4,10.x, and 11.x allows remote authenticated users access to internal API functions that allows attackers to upload and execute arbitrary code."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://veeam.com", "refsource": "MISC", "url": "https://veeam.com"}, {"name": "https://www.veeam.com/kb4288", "refsource": "MISC", "url": "https://www.veeam.com/kb4288"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T05:03:33.156Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://veeam.com"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.veeam.com/kb4288"}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2022-26500", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-03T14:08:12.923583Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2022-12-13", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26500"}}}], "timeline": [{"time": "2022-12-13T00:00:00+00:00", "lang": "en", "value": "CVE-2022-26500 added to CISA KEV"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-03T15:27:39.848Z"}}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-26500", "datePublished": "2022-03-17T20:56:44.000Z", "dateReserved": "2022-03-06T00:00:00.000Z", "dateUpdated": "2025-07-30T01:37:45.958Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"cisaActionDue": "2023-01-03", "cisaExploitAdd": "2022-12-13", "cisaRequiredAction": "Apply updates per vendor instructions.", "cisaVulnerabilityName": "Veeam Backup & Replication Remote Code Execution Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:veeam:veeam_backup_\\&_replication:*:*:*:*:*:*:*:*", "matchCriteriaId": "837D781D-E21B-458C-8D4A-59949CE4D580", "versionEndExcluding": "10.0.1.4854", "versionStartIncluding": "10.0.0.4442", "vulnerable": true}, {"criteria": "cpe:2.3:a:veeam:veeam_backup_\\&_replication:*:*:*:*:*:*:*:*", "matchCriteriaId": "FD0C1BCB-A018-4425-AC3D-0CE6EAEF372F", "versionEndExcluding": "11.0.1.1261", "versionStartIncluding": "11.0.0.825", "vulnerable": true}, {"criteria": "cpe:2.3:a:veeam:veeam_backup_\\&_replication:9.5.0.1536:*:*:*:*:*:*:*", "matchCriteriaId": "3BC7D0C1-0A10-4704-B8A0-ADFB8B2BA1BB", "vulnerable": true}, {"criteria": "cpe:2.3:a:veeam:veeam_backup_\\&_replication:9.5.4.2615:*:*:*:*:*:*:*", "matchCriteriaId": "1D5BA0C4-F689-4B0E-BBB5-051DEDF40721", "vulnerable": true}, {"criteria": "cpe:2.3:a:veeam:veeam_backup_\\&_replication:10.0.1.4854:-:*:*:*:*:*:*", "matchCriteriaId": "12E8F01F-4E41-46F0-94BC-DD5174DDF393", "vulnerable": true}, {"criteria": "cpe:2.3:a:veeam:veeam_backup_\\&_replication:10.0.1.4854:p20201202:*:*:*:*:*:*", "matchCriteriaId": "E0417823-7418-4294-BE57-0304772DFE39", "vulnerable": true}, {"criteria": "cpe:2.3:a:veeam:veeam_backup_\\&_replication:10.0.1.4854:p20210609:*:*:*:*:*:*", "matchCriteriaId": "06BE9B78-075C-48E6-817A-5E0A89983EBC", "vulnerable": true}, {"criteria": "cpe:2.3:a:veeam:veeam_backup_\\&_replication:11.0.1.1261:-:*:*:*:*:*:*", "matchCriteriaId": "EC28D606-0A9B-46E5-A88C-8041357979DB", "vulnerable": true}, {"criteria": "cpe:2.3:a:veeam:veeam_backup_\\&_replication:11.0.1.1261:p20211123:*:*:*:*:*:*", "matchCriteriaId": "8158D6BC-2041-4600-B935-AD928621D987", "vulnerable": true}, {"criteria": "cpe:2.3:a:veeam:veeam_backup_\\&_replication:11.0.1.1261:p20211211:*:*:*:*:*:*", "matchCriteriaId": "54A5147A-341A-4790-AAA8-DF2648423C50", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper limitation of path names in Veeam Backup & Replication 9.5U3, 9.5U4,10.x, and 11.x allows remote authenticated users access to internal API functions that allows attackers to upload and execute arbitrary code."}, {"lang": "es", "value": "Una limitaci\u00f3n inapropiada de los nombres de las rutas en Veeam Backup & Replication versiones 9.5U3, 9.5U4,10.x y 11.x, permite a usuarios remotos autenticados acceder a funciones internas de la API que permiten a atacantes cargar y ejecutar c\u00f3digo arbitrario"}], "id": "CVE-2022-26500", "lastModified": "2025-04-03T18:54:21.040", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2022-03-17T21:15:08.193", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://veeam.com"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.veeam.com/kb4288"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://veeam.com"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.veeam.com/kb4288"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}